EP2575297A2 - Apparatus and method for providing virtual private network service based on mutual authentication - Google Patents

Apparatus and method for providing virtual private network service based on mutual authentication Download PDF

Info

Publication number
EP2575297A2
EP2575297A2 EP12186304A EP12186304A EP2575297A2 EP 2575297 A2 EP2575297 A2 EP 2575297A2 EP 12186304 A EP12186304 A EP 12186304A EP 12186304 A EP12186304 A EP 12186304A EP 2575297 A2 EP2575297 A2 EP 2575297A2
Authority
EP
European Patent Office
Prior art keywords
vpn
user device
data
server
public key
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Withdrawn
Application number
EP12186304A
Other languages
German (de)
French (fr)
Other versions
EP2575297A3 (en
Inventor
Seok-Min Lee
Nam-Soo Jeon
Seung-Woo Nam
Jin-Yong Kim
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Samsung SDS Co Ltd
Original Assignee
Samsung SDS Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Samsung SDS Co Ltd filed Critical Samsung SDS Co Ltd
Publication of EP2575297A2 publication Critical patent/EP2575297A2/en
Publication of EP2575297A3 publication Critical patent/EP2575297A3/en
Withdrawn legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0272Virtual private networks
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L12/00Data switching networks
    • H04L12/28Data switching networks characterised by path configuration, e.g. LAN [Local Area Networks] or WAN [Wide Area Networks]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/14Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols using a plurality of keys or algorithms
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L12/00Data switching networks
    • H04L12/28Data switching networks characterised by path configuration, e.g. LAN [Local Area Networks] or WAN [Wide Area Networks]
    • H04L12/46Interconnection of networks
    • H04L12/4641Virtual LANs, VLANs, e.g. virtual private networks [VPN]

Definitions

  • the present inventive concept relates to an apparatus and method for providing a virtual private network (VPN) service based on mutual authentication, and more particularly, to an apparatus and method for providing a VPN service operating at an application layer having improved reliability.
  • VPN virtual private network
  • an exemplary approach for connecting a head office and branch offices includes establishing a network between the offices using leased lines or frame relays.
  • this approach has a disadvantage in that the network line cost for building up the leased lines or frame relays is relatively expensive.
  • VPN virtual private network
  • the VPN is a technology that virtually establishes private communication networks by connecting the head office and remote terminals (branches) using existing public networks to ensure secure communications.
  • a related art VPN is typically operated at a transport layer and a network layer using a protocol such as Internet Protocol Security (IPSec), Secure Sockets Layer (SSL), and so on.
  • IPSec Internet Protocol Security
  • SSL Secure Sockets Layer
  • this related art VPN is only operable at layers below the transport layer.
  • network scalability e.g., by additional relays
  • client portability is decreased due to the high dependency upon hardware.
  • a VPN scheme operating at an application layer has been proposed, in which a Secure Shell (SSH) protocol is employed.
  • SSH Secure Shell
  • a network may be scaled relatively easily, but only a simple path is provided when connecting via a relay server, and thus the reliability of the network is decreased.
  • VPN services should be provided to several enterprises rather than just one enterprise, and thus problems may be caused by differing network security schemes, and collisions of internet protocol (IP) traffic may occur.
  • IP internet protocol
  • Korean Patent Application Publication No. 10-2006-0126952 discloses a primary protocol service which controls access of a client to a host service.
  • a ticket agency transmits a first ticket and a second ticket to the client and the primary protocol service, respectively.
  • the primary protocol service and the host service receiving the tickets can communicate with each other using a secondary protocol.
  • the primary protocol service can communicate with the client using a primary protocol encapsulated within the secondary protocol.
  • the primary protocol service and the client receiving the tickets from the ticket agency transmit and receive data through protocol encapsulation, thereby maintaining the data security and reliability.
  • authentication of the client is implemented not by an active request of the client to the primary protocol service but by a selection of the ticket agency.
  • there is no procedure for authentication of the host service there is no procedure for authentication of the host service.
  • the reliability of a secure network between the client and the host service by the relaying of the primary protocol service may be decreased.
  • One or more exemplary embodiments may overcome the above disadvantages and other disadvantages not described above. However, it is understood that one or more exemplary embodiment are not required to overcome the disadvantages described above, and may not overcome any of the problems described above.
  • a virtual private network (VPN) service apparatus which receives a first public key and a second public key, wherein the first public key is received from a VPN server and provides access to a user device to a private network, and the second public key is received from the user device, the apparatus, the apparatus including: a storage unit configured to store the first public key and the second public key; an authentication unit configured to authenticate the VPN server using the first public key and to authenticate the user device using the second public key; and a tunnel management unit configured to generate a first VPN tunnel and a second VPN tunnel which respectively relay data between the user device and the VPN server, wherein the first VPN tunnel is configured to relay the data between the VPN server and the VPN service apparatus based on the authentication of the VPN server by the authentication unit, and wherein the second VPN tunnel is configured to relay the data between the VPN service apparatus and the user device based on the authentication of the user device by the authentication unit.
  • VPN virtual private network
  • the data relayed between the user device and the VPN server through the first and second VPN tunnels may be encoded by a first encryption key preset between the user device and the VPN server.
  • the VPN service apparatus may further include a security processing unit configured to: decode user device data, if the data is received from the user device, with a second encryption key preset in conjunction with the user device, encode first encoded data by encoding the decoded user device data with a third encryption key preset in conjunction with the VPN server, and transmit the first encoded data to the VPN server; and decode VPN server data, if the data is received from the VPN server, with the third encryption key, encode second encoded data by encoding the decoded VPN server data with the second encryption key, and transmit the second encoded data to the user device.
  • a security processing unit configured to: decode user device data, if the data is received from the user device, with a second encryption key preset in conjunction with the user device, encode first encoded data by encoding the decoded user device data with a third encryption key preset in conjunction with the VPN server, and transmit the first encoded data to the VPN server; and decode VPN server data, if the data is received from the VPN server, with the third
  • the apparatus may further include a connection management unit configured to determine whether to connect the VPN server to the user device based on information in an authentication database.
  • the VPN service apparatus may further include a connection management unit, wherein if a request to access the VPN server is received from the user device, and the VPN server is included among a plurality of VPN servers having a same identification (ID), the apparatus, the connection management unit is configured to determine whether to connect the VPN server to the user device based on whether a load resulting from access of the user device would be equally distributed among the plurality of VPN servers having the same ID.
  • a connection management unit wherein if a request to access the VPN server is received from the user device, and the VPN server is included among a plurality of VPN servers having a same identification (ID), the apparatus, the connection management unit is configured to determine whether to connect the VPN server to the user device based on whether a load resulting from access of the user device would be equally distributed among the plurality of VPN servers having the same ID.
  • each of the plurality of VPN servers may have a different sub-ID.
  • the VPN service apparatus may further include a routing unit, wherein if a request to access the VPN server is received from the user device, the routing unit configured to establish a routing path for the user device to be connected to the VPN service apparatus generating the first VPN tunnel in conjunction with the VPN server accessible by the user device.
  • the tunnel management unit may receive a third public key through the second VPN tunnel from the user device and transmit the third public key through the first VPN tunnel to the VPN server.
  • a virtual private network (VPN) service method for providing access of a user device to a private network through a VPN server, the method including: authenticating the VPN server with a first public key received from the VPN server; authenticating the user device with a second public key received from the user device; andgenerating a first VPN tunnel and a second VPN tunnel which respectively relay data between the VPN server and the user device, wherein the first VPN tunnel relays the data to and/or from the VPN server based on the authenticating of the VPN server, and wherein the second VPN tunnel relays the data to/from the user device based on the authenticating of the user device.
  • VPN virtual private network
  • the data relayed between the user device and the VPN server through the first and second VPN tunnels may be encoded by a first encryption key preset between the user device and the VPN server.
  • the VPN service method may further include: decoding user device data, if the data is received from the user device, with a second encryption key preset in conjunction with the user device; encoding first encoded data by encoding the decoded user device data with a third encryption key preset in conjunction with the VPN server; transmitting the first encoded data to the VPN server; decoding VPN server data, if the data is received from the VPN server, with the third encryption key, encode second encoded data by encoding the decoded VPN server data with the second encryption key; and transmitting the second encoded data to the user device.
  • the method may further include a connection management unit configured to determine whether to connect the VPN server to the user device based on information in an authentication database.
  • the connection management unit may be configured to determine whether to connect the VPN server to the user device based on whether a load resulting from access of the user device would be equally distributed among the plurality of VPN servers having the same ID.
  • the VPN service method may further include, wherein if a request to access the VPN server is received from the user device, establishing a routing path for the user device to be connected to a VPN service apparatus generating the first VPN tunnel in conjunction with the VPN server accessible by the user device.
  • the VPN service method may further include: receiving a third public key through the second VPN tunnel; and transmitting the third public key through the first VPN tunnel to the VPN server.
  • a non-transitory computer-readable recording medium recording a program thereon for executing the virtual private network service method for providing access of a user device to a private network through a VPN server, the method including: authenticating the VPN server with a first public key received from the VPN server; authenticating the user device with a second public key received from the user device; and generating a first VPN tunnel and a second VPN tunnel which respectively relay data between the VPN server and the user device, wherein the first VPN tunnel relays the data to and/or from the VPN server based on the authenticating of the VPN server, and wherein the second VPN tunnel relays the data to/from the user device based on the authenticating of the user device.
  • a non-transitory computer-readable recording medium recording a program thereon for executing a method, which is implemented in a user device and provides access to a private network through a virtual private network (VPN) server and a VPN service apparatus, the method including: requesting the VPN server to perform an initial authentication; if the initial authentication by the VPN server is successful, generating a first public key, a first private key, a second public key and a second private key; registering the first public key with the VPN service apparatus and obtaining a first authentication from the VPN service apparatus with the first public key; registering the second public key with the VPN server and obtaining a second authentication from the VPN server with the second public key; and transmitting and/or receiving data to/from the VPN server via the VPN service apparatus, wherein the data is transmitted and/or received through a first VPN tunnel which is between the VPN service apparatus and the user device.
  • VPN virtual private network
  • transmitting and/or receiving the data to/from the VPN server includes encoding the data to be transmitted to the VPN server with a first encryption key preset in conjunction with the VPN server, and decoding the data received from the VPN server with the first encryption key.
  • transmitting and/or receiving the data to/from the VPN server includes encoding the data to be transmitted to the VPN server with a first encryption key preset in conjunction with the VPN server and re-encoding the data with a second encryption key preset in conjunction with the VPN service apparatus; and decoding the data received from the VPN server with the second encryption key, and re-decoding the data with the first encryption key.
  • a virtual private network (VPN) providing apparatus for providing access of a user device to a private network
  • the apparatus including: a VPN key management unit configured to generate a first public key and a first private key to register the first public key with a VPN service apparatus relaying transmission and/or reception of data to/from the user device, and to obtain a registration of a second public key generated by the user device; a VPN authentication unit configured to authenticate the user device with the second public key; and a VPN data transceiver unit configured to transmit and/or receive the data to/from the user device via the VPN service apparatus through a first VPN tunnel, wherein the data is relayed between the VPN providing apparatus and the VPN service apparatus through the first VPN tunnel if the VPN providing apparatus is authenticated with the first public key.
  • VPN virtual private network
  • the data to be transmitted to the user device via the VPN data transceiver unit may be encoded with a first encryption key preset in conjunction with the user device, and the data received from the user device via the VPN data transceiver unit may be decoded with the first encryption key.
  • the VPN providing apparatus may further include a VPN security processing unit configured to encode the data to be transmitted to the user device with a first encryption key preset in conjunction with the user device and re-encode the data with a second encryption key preset in conjunction with the VPN service apparatus; and decode the data received from the user device with the second encryption key, and re-decode the data with the first encryption key.
  • a VPN security processing unit configured to encode the data to be transmitted to the user device with a first encryption key preset in conjunction with the user device and re-encode the data with a second encryption key preset in conjunction with the VPN service apparatus; and decode the data received from the user device with the second encryption key, and re-decode the data with the first encryption key.
  • a virtual private network providing method for allowing access of a user device to a private network via a VPN service apparatus relaying transmission and reception of data to and from the user device, the method including: generating a first public key and a first private key; registering the first public key with the VPN service apparatus; obtaining a registration of a second public key generated by the user device; authenticating the user device with the second public key; and transmitting and/or receiving data to/from the user device through a first VPN tunnel, wherein the data is relayed through the first VPN tunnel which is between the VPN service apparatus and the user device if the user device is authenticated as a result of the authenticating.
  • VPN virtual private network
  • the data to be transmitted to the user device in transmitting and/or receiving data to/from the user device may be encoded with a first encryption key preset in conjunction with the user device, and the data received from the user device may be decoded with the first encryption key.
  • the VPN providing method may further include encoding the data to be transmitted to the user device with a first encryption key preset in conjunction with the user device and re-encoding the data with a second encryption key preset in conjunction with the VPN service apparatus, and decoding the data received from the user device with the second encryption key and re-decoding the data with the first encryption key.
  • a non-transitory computer-readable recording medium recording a program thereon for executing the VPN providing method for allowing access of a user device to a private network via a VPN service apparatus relaying transmission and reception of data to and from the user device, the method including: generating a first public key and a first private key; registering the first public key with the VPN service apparatus; obtaining a registration of a second public key generated by the user device; authenticating the user device with the second public key; and transmitting and/or receiving data to/from the user device through a first VPN tunnel, wherein the data is relayed through the first VPN tunnel which is between the VPN service apparatus and the user device if the user device is authenticated as a result of the authenticating.
  • FIG. 1 is a diagram illustrating an overall network configuration including a virtual private network (VPN) service apparatus based on mutual authentication according to an exemplary embodiment.
  • VPN virtual private network
  • FIG. 2 is a block diagram illustrating a configuration of a user device according to an exemplary embodiment.
  • FIG. 3 is a flowchart illustrating a procedure for executing a VPN client program capable of accessing a user device through a VPN server according to an exemplary embodiment.
  • FIG. 4 is a block diagram illustrating a configuration of a VPN service apparatus according to an exemplary embodiment.
  • FIG. 5 is a block diagram illustrating a configuration of a VPN server according to an exemplary embodiment.
  • FIG. 6 is a block diagram illustrating a configuration of a VPN server management unit according to an exemplary embodiment.
  • FIG. 7 is a flowchart illustrating a procedure for establishing a first VPN tunnel between a VPN service apparatus and a VPN server according to an exemplary embodiment.
  • FIG. 8 is a flowchart illustrating a procedure for establishing a second VPN tunnel between a VPN service apparatus and a user device according to an exemplary embodiment.
  • FIG. 9 is a diagram illustrating an exemplary embodiment in which a plurality of clients are managed by a VPN service apparatus according to an exemplary embodiment.
  • FIG. 10 is a diagram illustrating an embodiment of connecting a head office and branch offices using a VPN service apparatus according to an exemplary embodiment.
  • FIG. 1 is a diagram illustrating an overall network configuration including a VPN service apparatus 100 based on mutual authentication according to an embodiment.
  • a network includes a VPN service apparatus 100, a user device 110, an authentication server 120, an authentication database 130, and a VPN server 140.
  • the user device 110 also referred to as user equipment, may be a device in which a program for allowing access to the VPN server 140 is installed and performed.
  • An example of the user device 110 may include portable communication equipment such as a personal digital assistant (PDA), a smartphone, and a laptop computer, each capable of using a public network.
  • PDA personal digital assistant
  • smartphone a smartphone
  • laptop computer a laptop computer
  • FIG. 2 is a block diagram illustrating a configuration of an exemplary embodiment of the user device 110.
  • the user device 110 includes a control unit 210, a storage unit 220, and a VPN connection unit 230.
  • unit means a hardware component, such as a processor or circuit, and/or a software component that is executed by a hardware component such as a processor.
  • the VPN connection unit 230 executes a VPN client program for allowing the user device 110 to access the VPN server 140.
  • An operating system (OS) is pre-installed on the control unit 210.
  • the OS logically connects and controls hardware components in the user device 110. Further, the OS links various application programs such as a VPN client program to the hardware components in the user device 110 and controls them.
  • the storage unit 220 stores instructions and data in an electronic format. When the user device 110 is operated normally, the storage unit 220 commonly stores with a major portion of the OS, all or part of application programs, the currently used data, and so on.
  • FIG. 3 is a flowchart illustrating a procedure for performing an access of a VPN connection unit 230 to a VPN server 140 according to an exemplary embodiment.
  • the VPN connection unit 230 transmits authentication data and an authentication request to the authentication server 120, which may send the authentication request to the VPN server 140 (S310).
  • the authentication data includes identification information (ID) of the VPN server 140 to be accessed. Then, the authentication server 120 may access the VPN server 140 using an ID of the VPN server 140 included in the authentication data and request authentication for the user device 110 (S310).
  • the authentication data and authentication request are transmitted to the authentication server 120 using a public internet protocol (IP).
  • IP public internet protocol
  • the authentication data includes an ID of the VPN server 140 to be accessed, an ID of the user device 110, and an access password of the VPN server 140.
  • the VPN connection unit 230 When the authentication by the VPN server 140 is successful, the VPN connection unit 230 generates a second public key, a second private key, a third public key, and a third private key (S320).
  • the VPN connection unit 230 registers the second public key in a VPN service apparatus 100 and obtains authentication from the VPN service apparatus 100 using the public key (S330). Specifically, when the VPN connection unit 230 requests access to the VPN service apparatus 100 according to a preset authentication protocol, an algorithm to be used between them is selected.
  • the algorithm to be used between them includes an encryption algorithm, a hash algorithm, a Hash-based Message Authentication Code (HMAC) algorithm, and a compression algorithm.
  • a symmetric key (second encryption key) to be used in the algorithm e.g., Advanced Encryption Standard (AES), Triple Data Encryption Algorithm (3DES)
  • AES Advanced Encryption Standard
  • DES Triple Data Encryption Algorithm
  • the VPN connection unit 230 then encrypts the ID of the VPN server 140, the ID of the user device 110 and the second private key using the second encryption key as the symmetric key, and requests the VPN service apparatus 100 to authenticate the VPN connection unit 230.
  • the VPN service apparatus 100 authenticates the VPN connection unit 230 using the second public key.
  • the VPN connection unit 230 registers the third public key in the VPN server 140, and then the VPN server 140 authenticates the VPN connection unit 230 using the third public key (S340). Specifically, when the VPN connection unit 230 requests access to the VPN server 140 according to a preset authentication protocol, an algorithm to be used between them is selected.
  • the algorithm to be used between them includes an encryption algorithm, a hash algorithm, an HMAC algorithm, and a compression algorithm.
  • a symmetric key (first encryption key) to be used in the algorithm e.g., AES,3DES
  • the first encryption key is randomly regenerated and exchanged in a periodic manner.
  • the VPN connection unit 230 then encrypts the ID of the VPN server 140, the ID of the user device 110, and the third private key using the first encryption key as the symmetric key, and requests the VPN server 140 to authenticate the VPN connection unit 230.
  • the VPN server 140 authenticates the VPN connection unit 230 using the third public key.
  • the VPN connection unit 230 transmits and receives data to and from the VPN server 140 via a first VPN tunnel and a second VPN tunnel (S350). Through the second VPN tunnel, the data is transferred between the user device 110 and the VPN service apparatus 100. Through the first VPN tunnel, the data is transferred between the VPN service apparatus 100 and the VPN server 140.
  • the VPN connection unit 230 encodes the data to be transmitted to the VPN server 140 using the first encryption key, and decodes the data received from the VPN server 140 using the first encryption key, so that the VPN connection unit 230 may transmit and receive the data to and from the VPN server 140.
  • the VPN connection unit 230 encodes the data to be transmitted to the VPN server 140 using the second encryption key, and decodes the data received from the VPN server 140 using the second encryption key, so that the VPN connection unit 230 may transmit and receive the data to and from the VPN server 140.
  • the VPN connection unit 230 encodes data to be transmitted to the VPN server 140 using the first encryption key and then re-encodes the data using the second encryption key.
  • the VPN connection unit 230 decodes data received from the VPN server 140 using the second encryption key and then re-decodes the data using the first encryption key. It is therefore possible to improve the network security in the transmission and reception of data.
  • the VPN client program may be downloaded to and used in the user device 110 as an application from an operator side responsible for the VPN server 140. Alternatively, the VPN client program may be pre-loaded on the user device 110.
  • the authentication server 120 performs an initial registration process for connecting the user device 110 to the VPN server 140.
  • the VPN server 140 requests the authentication server 120 to issue a license key.
  • the authentication server 120 when receiving the request for issuing the license key from the VPN server 140, issues and transmits the license key to the VPN server 140.
  • the authentication server 120 then stores the ID of the VPN server 140 to which the license key is issued in the authentication database 130.
  • the authentication database 130 may include an ID of the VPN server 140, as well as other information.
  • the authentication server 120 requests the VPN server 140 to perform authentication using the license key.
  • the VPN server 140 verifies the license key to authenticate the authentication server 120, and then generates a first public key and a first private key.
  • the authentication server 120 encodes license information using the license key.
  • An example of the license information includes an ID of the VPN server 140, a license type, a license time-out period, the number of the user device 110, the number of the VPN server 140, and a major IP address and a port (e.g., port 3122).
  • the license information encoded using the license key is transmitted from the authentication server 120 to the VPN server 140 via a general web server.
  • the authentication server 120 receives the authentication data and authentication request from the user device 110.
  • the authentication data includes an ID of the VPN server 140 to be accessed, an ID of the user device 110, and an access password of the VPN server 140.
  • the authentication server 120 stores the authentication data received from the user device 110 in the authentication database 130.
  • the authentication server 120 also accesses the VPN server 140 using the ID of the VPN server 140 included in the authentication data, thereby requesting authentication of the user device 110.
  • the authentication server 120 informs the user device 110 that the authentication is successful.
  • the user device 110 after learning that the authentication is successful from the authentication server 120, generates a second public key, a second private key, a third public key, and a third private key, thereby preparing to transmit and/or receive data to and/or from the VPN server 140.
  • the VPN service apparatus 100 may be located in a network operation center (NOC) or a demilitarized zone (DMZ), which is a neutral area between a private network and a public network.
  • NOC network operation center
  • DMZ demilitarized zone
  • FIG. 4 is a block diagram illustrating a configuration of an exemplary embodiment of a VPN service apparatus 100 according to an exemplary embodiment.
  • the VPN service apparatus 100 includes a storage unit 410, an authentication unit 420, a tunnel management unit 430, a security processing unit 440, a connection management unit 450, and a routing unit 460.
  • the storage unit 410 stores a first public key generated by the VPN server 140 and a second public key generated by the user device 110.
  • the VPN server 140 verifies the license key to authenticate the authentication server 120, and then generates the first public key and the first private key.
  • the user device 110 when authenticated by the VPN server 140, generates a second public key and a second private key.
  • the authentication unit 420 authenticates the VPN server 140 using the first public key and authenticates the user device 110 using the second public key.
  • the VPN server 140 requests an access to the authentication unit 420 according to a preset authentication protocol, an algorithm to be used between them is selected.
  • the algorithm to be used between them includes an encryption algorithm, a hash algorithm, an HMAC algorithm, and a compression algorithm.
  • a symmetric key (third encryption key) to be used in the algorithm e.g., AES,3DES
  • the third encryption key is randomly regenerated and exchanged in a periodic manner.
  • the VPN server 140 then encodes the ID of the VPN server 140, the ID of the user device 110 and the first private key using the third encryption key as the symmetric key, and requests the authentication unit 420 to perform authentication.
  • the authentication unit 420 authenticates the VPN server 140 using the first public key. That is, the authentication is implemented in an out-bound process by access to the VPN server 140.
  • an algorithm to be used between them when the user device 110 requests access to the authentication unit 420 according to a preset authentication protocol, an algorithm to be used between them is selected.
  • the algorithm to be used between them includes an encryption algorithm, a hash algorithm, an HMAC algorithm, and a compression algorithm.
  • a symmetric key (second encryption key) to be used in the algorithm e.g., AES,3DES
  • the second encryption key is randomly regenerated and exchanged in a periodic manner.
  • the user device 110 then encodes the ID of the VPN server 140, the ID of the user device 110 and the second private key using the second encryption key as the symmetric key, and requests the authentication unit 420 to perform authentication.
  • the authentication unit 420 authenticates the user device 110 using the second public key.
  • the tunnel management unit 430 generates a first VPN tunnel and a second VPN tunnel to relay transmission and/or reception of data between the user device 110 and the VPN server 140.
  • the data is transferred through the first VPN tunnel to or from the VPN server 140 which is authenticated by the authentication unit 420.
  • the second VPN tunnel the data is transferred to or from the user device 110 which is authenticated by the authentication unit 420.
  • the data which is transmitted and/or received between the user device 110 and the VPN server 140 through the first and second VPN tunnels may be encoded by the first encryption key preset between the user device 110 and the VPN server 140.
  • the security processing unit 440 when receiving data from the user device 110, decodes the data using the second encryption key preset in conjunction with the user device 110, encodes it using the third encryption key preset in conjunction with the VPN server 140, and then transmits it to the VPN server 140.
  • the security processing unit 440 when receiving data from the VPN server 140, decodes the data using the third encryption key, encodes it with the second encryption key, and then transmits it to the user device 110.
  • the security processing unit 440 may encode the data received from the user device 110 using the first encryption key, and then re-encode it with the second encryption key. Alternatively, the security processing unit may encode the data received from the VPN server 140 using the first encryption key, and then re-encode it with the third encryption key. That is, the security processing unit 440 can transmit and receive the re-encoded data.
  • the connection management unit 450 when receiving a request to access the VPN server 140 from the user device 110, determines that the VPN server 140 can be connected to the user device 110 on the basis of information in the authentication database 130, in which the information is associated and stored with information of at least one user device 110 allowed to access a plurality of VPN servers 140 respectively.
  • the information of the at least one user device 110 allowed to access the plurality of VPN servers 140 respectively may be pre-stored within the authentication database 130, or may be received from the VPN server 140 and stored in the authentication database 130.
  • the connection management unit 450 when receiving a request to access to the VPN server 140 from the user device 110, decides a VPN server 140 to be connected to the user device 110 such that the load resulting from access of the user device 110 may be equally distributed among the VPN servers 140 having the same ID.
  • Table 1 shows a user device 110 that can access VPN servers 140 having the same VPN ID but different sub-IDs.
  • Table 1 VPN ID VPN sub-ID Accessible user devices A a, b 1, 2, 3, 4
  • the VPN servers 140 When the VPN servers 140 have the same accessible user devices 110 (1, 2, 3, and 4), the VPN servers 140 have the same VPN ID (A)but different VPN sub-IDs(a and b).
  • the sub-ID may be a port number of an actual VPN server 140.
  • connection management unit 450 decides a VPN server having sub-ID b to be connected to a user device 2 upon receiving a request for access to the VPN server 140 from the user device 2.
  • the routing unit 460 when receiving a request for access to a VPN server 140 from the user device 110, establishes a connection of a routing path for the user device 110 to the VPN service apparatus 100 establishing a VPN tunnel in conjunction with the VPN server 140 accessible by the user device 110.
  • the plurality of VPN service apparatus 100 are interconnected in a broadcasting way. Therefore, the routing unit 460 can search for the VPN service apparatus 100 establishing a first VPN tunnel in conjunction with the VPN server 140 accessible by the user device 110.
  • the VPN server 140 is responsible for managing access of the VPN service apparatus 100 and the user device 110 to a client system.
  • the VPN server 140 is located within a private network separated by firewalls of the client system.
  • FIG. 5 is a block diagram illustrating a configuration of an exemplary embodiment of the VPN server 140.
  • the VPN server 140 includes a control unit 510, a storage unit 520, and a VPN server management unit 530.
  • the VPN server management unit 530 executes a VPN program for allowing access of the VPN server 140 to the user device 110.
  • An OS is pre-installed on control unit 510.
  • the OS logically connects hardware components in the VPN server 140 to each other and controls them. Further, the OS links various application programs such as a VPN program to the hardware components in the VPN server 140 and controls them.
  • the storage unit 520 stores instructions and data in an electronic format.
  • the storage unit 220 commonly stores a major portion of the OS, all or part of application programs, the currently used data, and so on.
  • FIG. 6 is a block diagram illustrating a configuration of an exemplary embodiment of the VPN server management unit 530.
  • the VPN server management unit 530 includes a VPN key management unit 610, a VPN authentication unit 620, a VPN data transceiver unit 630, and a VPN security processing unit 640.
  • the VPN key management unit 610 generates a first public key and a first private key, and registers the first public key in the VPN service apparatus 100. In the VPN key management unit 610, a third public key which is generated from the user device 110 is registered.
  • the VPN authentication unit 620 authenticates the user device 110 using the third public key. Specifically, when the user device 110 requests access using the third private key, the VPN authentication unit 620 authenticates the user device 110 using the third public key. In other words, when the user device 110 requests access to the VPN authentication unit 620 according to a preset authentication protocol, an algorithm to be used between them is selected.
  • the algorithm to be used between them includes an encryption algorithm, a hash algorithm, an HMAC algorithm, and a compression algorithm.
  • a symmetric key (first encryption key) to be used in the algorithm e.g., AES,3DES
  • the first encryption key is randomly regenerated and exchanged in a periodic manner.
  • the user device 110 then encodes the ID of the VPN server 140, the ID of the user device 110 and the third private key using the first encryption key as the symmetric key, and requests the VPN authentication unit 620 to perform authentication.
  • the VPN authentication unit 620 authenticates the user device 110 using the third public key.
  • the VPN data transceiver unit 630 transmits and receives the data to and from the user device 110 via a first VPN tunnel and a second VPN tunnel.
  • first VPN tunnel the data is transferred between the VPN server 140 and the VPN service apparatus 100 which authenticates the VPN server 140 using the first public key.
  • second VPN tunnel the data is transferred between the VPN service apparatus 100 and the user device 110 which is authenticated by the authentication unit 620.
  • the data transmitted to the user device 110 via the VPN data transceiver unit 630 may be encoded using a first encryption key which is preset in conjunction with the user device 110.
  • the data received from the user device 110 via the VPN data transceiver unit 630 may be decoded using the first encryption key.
  • the VPN security processing unit 640 encodes the data to be transmitted to the user device 110 using the first encryption key preset in conjunction with the user device 110, and then re-encodes it using the third encryption key preset in conjunction with the VPN service apparatus 100.
  • the VPN security processing unit 640 when receiving data from the user device 110, decodes the data using the third encryption key and then re-decodes it using the first encryption key. It is therefore possible to improve the communication security by re-encoding data to be transmitted to the user device 110.
  • the authentication database 130 receives and stores various types of information from the authentication server 120 and the VPN server 140 across the network. As mentioned above, the authentication server 120 stores the authentication data received from the user device 110 in the authentication database 130.
  • the authentication data includes an ID of the VPN server 140, an ID of the user device 110, and an access password of the VPN server 140.
  • the VPN server 140 can authenticate the user device 110 on the basis of authentication data stored in the authentication database 130. Further, the authentication server 120 stores the ID of the VPN server 140 issuing a license key in the authentication database 130.
  • the information of at least one user device 110 allowed to access a plurality of VPN servers 140 respectively is stored in the authentication database 130. Furthermore, the VPN server 140 stores the information on the VPN server 140 including the ID of the VPN server 140 in the authentication database 130.
  • the authentication database 130 stores an ID and a sub-ID of the VPN server 140 as mentioned above, and information of the at least one user device 110 for which access is allowed. This information may be received from the VPN server 140 and stored, or may be pre-stored during construction of the authentication database 130.
  • FIG. 7 is a flowchart illustrating a procedure for establishing a first VPN tunnel between a VPN service apparatus 100 and a VPN server 140 according to an exemplary embodiment.
  • the VPN server 140 requests an authentication server 120 to issue a license key (S710). In response, the authentication server 120 issues the license key and transmits it to the VPN server 140. The authentication server 120 requests the VPN sever 140 to perform authentication using the issued license key (S720). The VPN server 140 authenticates the authentication server 120 using the license key and generates a first public key and a first private key (S730).
  • the VPN server 140 registers the generated first public key in the VPN service apparatus 100 (S740).
  • the VPN server 140 then accesses the VPN service apparatus 100 and is authenticated using the first private key (S750).
  • the VPN server 140 encodes and transmits the first private key using a preset third encryption key.
  • the VPN service apparatus 100 then authenticates the VPN server 140 using the registered first public key.
  • a first VPN tunnel is generated between the VPN service apparatus 100 and the VPN server 140.
  • the data encoded using the third encryption key can be transferred through the first VPN tunnel.
  • FIG. 8 is a flowchart illustrating a procedure for establishing a second VPN tunnel between a VPN service apparatus 100 and a user device 110 according to an exemplary embodiment.
  • the user device 110 executes a VPN client program that can access a VPN server 140 (S810).
  • the VPN client program executes, the user device 110 transmits authentication data and an authentication request to an authentication server 120 (S820).
  • the authentication data may include an ID of the VPN server 140, an ID of the user device 110, and an access password of the VPN server 140, etc., as mentioned above.
  • the authentication server 120 stores the received authentication data in an authentication database 130, accesses the VPN server 140 using the ID of the VPN server 140 included in the authentication data, and requests authentication for the user device 110 (S830).
  • the VPN server 140 authenticates the user device 110 on the basis of the authentication data stored in the authentication database 130 (S840).
  • the user device 110 then generates a second public key and a second private key (S850), and registers the second public key in the VPN service apparatus 100 (S860).
  • the user device 110 encodes the second private key using a preset second encryption key and transmits it to the VPN service apparatus 100.
  • the VPN service apparatus 100 authenticates the user device 110 using the registered second public key and generates a second VPN tunnel through which data is transmitted and received between the VPN service apparatus 100 and the user device 110. Through this tunnel, data encoded using the second encryption key may be transferred between the VPN service apparatus 100 and the user device 110.
  • the user device 110 generates a third public key and a third private key (S870), and registers the third public key in the VPN server 140 (S880).
  • the third public key is registered in the VPN server 140 through a first VPN tunnel between the VPN service apparatus 100 and the VPN server 140.
  • the user device 110 encodes the third private key using a preset first encryption key and transmits it to the VPN server 140.
  • the VPN server 140 authenticates the user device 110 using the registered third public key.
  • Data encoded using the first encryption key can be transmitted and received through the second VPN tunnel between the VPN service apparatus 100 and the user device 110 which is authenticated using the third public key, and the first VPN tunnel between the VPN service apparatus 100 and the VPN server 140.
  • FIG. 9 is a diagram illustrating an exemplary embodiment in which a plurality of clients are managed by the VPN service apparatus 100 according to an exemplary embodiment.
  • the VPN service apparatus 100 performs customer-specific authentication processes and establishes a tunnel for transmitting and receiving data to provide an authenticated VPN path. That is to say, a user device of a customer 1 may access a VPN server of the customer 1 using the VPN path authenticated for the customer 1, but cannot use the VPN path authenticated for a customer 2.
  • transmission or reception of data may be implemented using an encryption key between a user device of the customer 2 and a VPN server of the customer 2. Therefore, the user device of the customer 1 cannot access the VPN path authenticated for the customer 2, and the security for each customer is maintained.
  • customers can economically introduce the VPN service apparatus 100. Also, customers can establish a communication network only by authentication of the VPN service apparatus 100 after introducing the VPN server 140.
  • FIG. 10 is a diagram illustrating an embodiment of connecting a head office with branch offices using a VPN service apparatus 100 according to an exemplary embodiment.
  • connection conditions can be adjusted to minimize a load applied to the entire VPN service apparatus 100.
  • the information of a user device 110 and a VPN server 140 to be connected may be preset and pre-stored in an authentication database 130 to minimize the load.
  • entire connection conditions may be controlled by a system for managing the VPN service apparatus 100.
  • Some examples described herein can be machine or computer-implemented at least in part. Some examples can include a computer-readable recording medium or machine-readable recording medium encoded with instructions operable to configure an electronic device to perform methods as described in the above examples.
  • An implementation of such methods can include code, such as microcode, assembly language code, a higher-level language code, or the like. Such code can include computer readable instructions for performing various methods. The code may form portions of computer program products. Further, the code can be tangibly stored on one or more volatile or nonvolatile tangible computer-readable recording media, such as during execution or at other times.
  • Examples of these tangible computer-readable recording media can include, but are not limited to, hard disks, removable magnetic disks, removable optical discs (e.g., compact discs and digital video discs), magnetic cassettes, memory cards or sticks, compact disc read-only memories (CD-ROMs), random access memories (RAMs), read only memories (ROMs), carrier waves (e.g., transmission over the Internet), and the like.
  • hard disks removable magnetic disks, removable optical discs (e.g., compact discs and digital video discs), magnetic cassettes, memory cards or sticks, compact disc read-only memories (CD-ROMs), random access memories (RAMs), read only memories (ROMs), carrier waves (e.g., transmission over the Internet), and the like.
  • An apparatus and method for providing a VPN service based on mutual authentication provide a connection in which reliability and security are improved by means of mutual authentication between a client and a VPN server. Also, some embodiments provide an advantage that high scalability and good load balancing are achievable at a low cost by constructing a multi-tiered structure in which several servers are connected. This structure allows problems related to network compatibility and IP collision to be solved by a hosted VPN service of an application layer with no IP allocation.

Abstract

An apparatus and method for providing a virtual private network (VPN) service based on mutual authentication are provided, the apparatus including a storage unit configured to store a first public key and a second public key; an authentication unit configured to authenticate a VPN server with the first public key and to authenticate a user device with the second public key; and a tunnel management unit configured to generate a first VPN tunnel and a second VPN tunnel to relay data between the user device and the VPN server based on the authentication of the VPN server and the user device by the authentication unit.

Description

    CROSS-REFERENCE TO RELATED APPLICATION
  • This application claims priority from Korean Patent Application No. 10-2011-0098387, filed on September 28, 2011 , the disclosure of which is incorporated herein by reference in its entirety.
    • BACKGROUND 1. Field
  • The present inventive concept relates to an apparatus and method for providing a virtual private network (VPN) service based on mutual authentication, and more particularly, to an apparatus and method for providing a VPN service operating at an application layer having improved reliability.
    • 2. Discussion of Related Art
  • In distributed enterprise environments, an exemplary approach for connecting a head office and branch offices includes establishing a network between the offices using leased lines or frame relays. However, this approach has a disadvantage in that the network line cost for building up the leased lines or frame relays is relatively expensive.
  • Therefore, virtual private network (VPN) technology, which employs a low cost Internet-based public network compared to the leased lines or frame relays, is being more widely used. The VPN is a technology that virtually establishes private communication networks by connecting the head office and remote terminals (branches) using existing public networks to ensure secure communications.
  • A related art VPN is typically operated at a transport layer and a network layer using a protocol such as Internet Protocol Security (IPSec), Secure Sockets Layer (SSL), and so on. However, this related art VPN is only operable at layers below the transport layer. As a result, network scalability (e.g., by additional relays) is difficult to achieve and client portability is decreased due to the high dependency upon hardware.
  • To overcome this disadvantage, a VPN scheme operating at an application layer has been proposed, in which a Secure Shell (SSH) protocol is employed. In a VPN operating at the application layer, a network may be scaled relatively easily, but only a simple path is provided when connecting via a relay server, and thus the reliability of the network is decreased. Also, when a hosted VPN service in which a plurality of VPN servers are connected to one relay server is provided, VPN services should be provided to several enterprises rather than just one enterprise, and thus problems may be caused by differing network security schemes, and collisions of internet protocol (IP) traffic may occur.
  • Korean Patent Application Publication No. 10-2006-0126952 discloses a primary protocol service which controls access of a client to a host service. A ticket agency transmits a first ticket and a second ticket to the client and the primary protocol service, respectively. The primary protocol service and the host service receiving the tickets can communicate with each other using a secondary protocol. Also, the primary protocol service can communicate with the client using a primary protocol encapsulated within the secondary protocol.
  • The primary protocol service and the client receiving the tickets from the ticket agency transmit and receive data through protocol encapsulation, thereby maintaining the data security and reliability. However, authentication of the client is implemented not by an active request of the client to the primary protocol service but by a selection of the ticket agency. Furthermore, there is no procedure for authentication of the host service. Thus, the reliability of a secure network between the client and the host service by the relaying of the primary protocol service may be decreased.
    • SUMMARY
  • One or more exemplary embodiments may overcome the above disadvantages and other disadvantages not described above. However, it is understood that one or more exemplary embodiment are not required to overcome the disadvantages described above, and may not overcome any of the problems described above.
  • According to an aspect of an exemplary embodiment, there is provided a virtual private network (VPN) service apparatus which receives a first public key and a second public key, wherein the first public key is received from a VPN server and provides access to a user device to a private network, and the second public key is received from the user device, the apparatus, the apparatus including: a storage unit configured to store the first public key and the second public key; an authentication unit configured to authenticate the VPN server using the first public key and to authenticate the user device using the second public key; and a tunnel management unit configured to generate a first VPN tunnel and a second VPN tunnel which respectively relay data between the user device and the VPN server, wherein the first VPN tunnel is configured to relay the data between the VPN server and the VPN service apparatus based on the authentication of the VPN server by the authentication unit, and wherein the second VPN tunnel is configured to relay the data between the VPN service apparatus and the user device based on the authentication of the user device by the authentication unit.
  • The data relayed between the user device and the VPN server through the first and second VPN tunnels may be encoded by a first encryption key preset between the user device and the VPN server.
  • The VPN service apparatus may further include a security processing unit configured to: decode user device data, if the data is received from the user device, with a second encryption key preset in conjunction with the user device, encode first encoded data by encoding the decoded user device data with a third encryption key preset in conjunction with the VPN server, and transmit the first encoded data to the VPN server; and decode VPN server data, if the data is received from the VPN server, with the third encryption key, encode second encoded data by encoding the decoded VPN server data with the second encryption key, and transmit the second encoded data to the user device.
  • If a request to access the VPN server is received from the user device, the apparatus may further include a connection management unit configured to determine whether to connect the VPN server to the user device based on information in an authentication database.
  • The VPN service apparatus may further include a connection management unit, wherein if a request to access the VPN server is received from the user device, and the VPN server is included among a plurality of VPN servers having a same identification (ID), the apparatus, the connection management unit is configured to determine whether to connect the VPN server to the user device based on whether a load resulting from access of the user device would be equally distributed among the plurality of VPN servers having the same ID.
  • Wherein each of the plurality of VPN servers may have a different sub-ID.
  • The VPN service apparatus may further include a routing unit, wherein if a request to access the VPN server is received from the user device, the routing unit configured to establish a routing path for the user device to be connected to the VPN service apparatus generating the first VPN tunnel in conjunction with the VPN server accessible by the user device.
  • The tunnel management unit may receive a third public key through the second VPN tunnel from the user device and transmit the third public key through the first VPN tunnel to the VPN server.
  • According to an aspect of an exemplary embodiment, there is provided a virtual private network (VPN) service method for providing access of a user device to a private network through a VPN server, the method including: authenticating the VPN server with a first public key received from the VPN server; authenticating the user device with a second public key received from the user device; andgenerating a first VPN tunnel and a second VPN tunnel which respectively relay data between the VPN server and the user device, wherein the first VPN tunnel relays the data to and/or from the VPN server based on the authenticating of the VPN server, and wherein the second VPN tunnel relays the data to/from the user device based on the authenticating of the user device.
  • The data relayed between the user device and the VPN server through the first and second VPN tunnels may be encoded by a first encryption key preset between the user device and the VPN server.
  • The VPN service method may further include: decoding user device data, if the data is received from the user device, with a second encryption key preset in conjunction with the user device; encoding first encoded data by encoding the decoded user device data with a third encryption key preset in conjunction with the VPN server; transmitting the first encoded data to the VPN server; decoding VPN server data, if the data is received from the VPN server, with the third encryption key, encode second encoded data by encoding the decoded VPN server data with the second encryption key; and transmitting the second encoded data to the user device.
  • If a request to access the VPN server is received from the user device, the method may further include a connection management unit configured to determine whether to connect the VPN server to the user device based on information in an authentication database.
  • If a request to access the VPN server is received from the user device, and the VPN server is included among a plurality of VPN servers having a same identification (ID), the apparatus, the connection management unit may be configured to determine whether to connect the VPN server to the user device based on whether a load resulting from access of the user device would be equally distributed among the plurality of VPN servers having the same ID.
  • The VPN service method may further include, wherein if a request to access the VPN server is received from the user device, establishing a routing path for the user device to be connected to a VPN service apparatus generating the first VPN tunnel in conjunction with the VPN server accessible by the user device.
  • The VPN service method may further include: receiving a third public key through the second VPN tunnel; and transmitting the third public key through the first VPN tunnel to the VPN server.
  • According to an exemplary embodiment, there is provided a non-transitory computer-readable recording medium recording a program thereon for executing the virtual private network service method for providing access of a user device to a private network through a VPN server, the method including: authenticating the VPN server with a first public key received from the VPN server; authenticating the user device with a second public key received from the user device; and generating a first VPN tunnel and a second VPN tunnel which respectively relay data between the VPN server and the user device, wherein the first VPN tunnel relays the data to and/or from the VPN server based on the authenticating of the VPN server, and wherein the second VPN tunnel relays the data to/from the user device based on the authenticating of the user device.
  • According to an aspect of an exemplary embodiment, there is provided a non-transitory computer-readable recording medium recording a program thereon for executing a method, which is implemented in a user device and provides access to a private network through a virtual private network (VPN) server and a VPN service apparatus, the method including: requesting the VPN server to perform an initial authentication; if the initial authentication by the VPN server is successful, generating a first public key, a first private key, a second public key and a second private key; registering the first public key with the VPN service apparatus and obtaining a first authentication from the VPN service apparatus with the first public key; registering the second public key with the VPN server and obtaining a second authentication from the VPN server with the second public key; and transmitting and/or receiving data to/from the VPN server via the VPN service apparatus, wherein the data is transmitted and/or received through a first VPN tunnel which is between the VPN service apparatus and the user device.
  • The non-transitory computer-readable recording medium of claim 18, wherein transmitting and/or receiving the data to/from the VPN server includes encoding the data to be transmitted to the VPN server with a first encryption key preset in conjunction with the VPN server, and decoding the data received from the VPN server with the first encryption key.
  • The non-transitory computer-readable recording medium of claim 18, wherein transmitting and/or receiving the data to/from the VPN server includes encoding the data to be transmitted to the VPN server with a first encryption key preset in conjunction with the VPN server and re-encoding the data with a second encryption key preset in conjunction with the VPN service apparatus; and decoding the data received from the VPN server with the second encryption key, and re-decoding the data with the first encryption key.
  • According to an aspect of an exemplary embodiment, there is provided a virtual private network (VPN) providing apparatus for providing access of a user device to a private network, the apparatus including: a VPN key management unit configured to generate a first public key and a first private key to register the first public key with a VPN service apparatus relaying transmission and/or reception of data to/from the user device, and to obtain a registration of a second public key generated by the user device; a VPN authentication unit configured to authenticate the user device with the second public key; and a VPN data transceiver unit configured to transmit and/or receive the data to/from the user device via the VPN service apparatus through a first VPN tunnel, wherein the data is relayed between the VPN providing apparatus and the VPN service apparatus through the first VPN tunnel if the VPN providing apparatus is authenticated with the first public key.
  • The data to be transmitted to the user device via the VPN data transceiver unit may be encoded with a first encryption key preset in conjunction with the user device, and the data received from the user device via the VPN data transceiver unit may be decoded with the first encryption key.
  • The VPN providing apparatus may further include a VPN security processing unit configured to encode the data to be transmitted to the user device with a first encryption key preset in conjunction with the user device and re-encode the data with a second encryption key preset in conjunction with the VPN service apparatus; and decode the data received from the user device with the second encryption key, and re-decode the data with the first encryption key.
  • According to an aspect of an exemplary embodiment, there is provided a virtual private network (VPN) providing method for allowing access of a user device to a private network via a VPN service apparatus relaying transmission and reception of data to and from the user device, the method including: generating a first public key and a first private key; registering the first public key with the VPN service apparatus; obtaining a registration of a second public key generated by the user device; authenticating the user device with the second public key; and transmitting and/or receiving data to/from the user device through a first VPN tunnel, wherein the data is relayed through the first VPN tunnel which is between the VPN service apparatus and the user device if the user device is authenticated as a result of the authenticating.
  • The data to be transmitted to the user device in transmitting and/or receiving data to/from the user device may be encoded with a first encryption key preset in conjunction with the user device, and the data received from the user device may be decoded with the first encryption key.
  • The VPN providing method may further include encoding the data to be transmitted to the user device with a first encryption key preset in conjunction with the user device and re-encoding the data with a second encryption key preset in conjunction with the VPN service apparatus, and decoding the data received from the user device with the second encryption key and re-decoding the data with the first encryption key.
  • According to an aspect of an exemplary embodiment, there is provided a non-transitory computer-readable recording medium recording a program thereon for executing the VPN providing method for allowing access of a user device to a private network via a VPN service apparatus relaying transmission and reception of data to and from the user device, the method including: generating a first public key and a first private key; registering the first public key with the VPN service apparatus; obtaining a registration of a second public key generated by the user device; authenticating the user device with the second public key; and transmitting and/or receiving data to/from the user device through a first VPN tunnel, wherein the data is relayed through the first VPN tunnel which is between the VPN service apparatus and the user device if the user device is authenticated as a result of the authenticating.
    • BRIEF DESCRIPTION OF THE DRAWINGS
  • The above and other objects, features and aspects will become more apparent to those of ordinary skill in the art by describing in detail exemplary embodiments thereof with reference to the accompanying drawings, in which:
  • FIG. 1 is a diagram illustrating an overall network configuration including a virtual private network (VPN) service apparatus based on mutual authentication according to an exemplary embodiment.
  • FIG. 2 is a block diagram illustrating a configuration of a user device according to an exemplary embodiment.
  • FIG. 3 is a flowchart illustrating a procedure for executing a VPN client program capable of accessing a user device through a VPN server according to an exemplary embodiment.
  • FIG. 4 is a block diagram illustrating a configuration of a VPN service apparatus according to an exemplary embodiment.
  • FIG. 5 is a block diagram illustrating a configuration of a VPN server according to an exemplary embodiment.
  • FIG. 6 is a block diagram illustrating a configuration of a VPN server management unit according to an exemplary embodiment.
  • FIG. 7 is a flowchart illustrating a procedure for establishing a first VPN tunnel between a VPN service apparatus and a VPN server according to an exemplary embodiment.
  • FIG. 8 is a flowchart illustrating a procedure for establishing a second VPN tunnel between a VPN service apparatus and a user device according to an exemplary embodiment.
  • FIG. 9 is a diagram illustrating an exemplary embodiment in which a plurality of clients are managed by a VPN service apparatus according to an exemplary embodiment.
  • FIG. 10 is a diagram illustrating an embodiment of connecting a head office and branch offices using a VPN service apparatus according to an exemplary embodiment.
    • DETAILED DESCRIPTION OF EXEMPLARY EMBODIMENTS
  • Exemplary embodiments will be described in detail below with reference to the accompanying drawings. While the present invention is shown and described in connection with exemplary embodiments thereof, it will be apparent to those skilled in the art that various modifications can be made without departing from the spirit and scope of the invention.
  • A method and apparatus for providing a virtual private network (VPN) service based on mutual authentication according to an exemplary embodiment will be described in detail with reference to the accompanying drawings.
  • FIG. 1 is a diagram illustrating an overall network configuration including a VPN service apparatus 100 based on mutual authentication according to an embodiment.
  • Referring to FIG. 1, a network includes a VPN service apparatus 100, a user device 110, an authentication server 120, an authentication database 130, and a VPN server 140.
  • The user device 110, also referred to as user equipment, may be a device in which a program for allowing access to the VPN server 140 is installed and performed. An example of the user device 110 may include portable communication equipment such as a personal digital assistant (PDA), a smartphone, and a laptop computer, each capable of using a public network. However, other exemplary embodiments are not limited thereto.
  • FIG. 2 is a block diagram illustrating a configuration of an exemplary embodiment of the user device 110.
  • Referring to FIG. 2, the user device 110 includes a control unit 210, a storage unit 220, and a VPN connection unit 230. The term "unit" as used herein means a hardware component, such as a processor or circuit, and/or a software component that is executed by a hardware component such as a processor.
  • The VPN connection unit 230 executes a VPN client program for allowing the user device 110 to access the VPN server 140. An operating system (OS) is pre-installed on the control unit 210. The OS logically connects and controls hardware components in the user device 110. Further, the OS links various application programs such as a VPN client program to the hardware components in the user device 110 and controls them.
  • The storage unit 220 stores instructions and data in an electronic format. When the user device 110 is operated normally, the storage unit 220 commonly stores with a major portion of the OS, all or part of application programs, the currently used data, and so on.
  • FIG. 3 is a flowchart illustrating a procedure for performing an access of a VPN connection unit 230 to a VPN server 140 according to an exemplary embodiment.
  • The VPN connection unit 230 transmits authentication data and an authentication request to the authentication server 120, which may send the authentication request to the VPN server 140 (S310). The authentication data includes identification information (ID) of the VPN server 140 to be accessed. Then, the authentication server 120 may access the VPN server 140 using an ID of the VPN server 140 included in the authentication data and request authentication for the user device 110 (S310).
  • The authentication data and authentication request are transmitted to the authentication server 120 using a public internet protocol (IP). The authentication data includes an ID of the VPN server 140 to be accessed, an ID of the user device 110, and an access password of the VPN server 140.
  • When the authentication by the VPN server 140 is successful, the VPN connection unit 230 generates a second public key, a second private key, a third public key, and a third private key (S320).
  • The VPN connection unit 230 registers the second public key in a VPN service apparatus 100 and obtains authentication from the VPN service apparatus 100 using the public key (S330). Specifically, when the VPN connection unit 230 requests access to the VPN service apparatus 100 according to a preset authentication protocol, an algorithm to be used between them is selected.
  • In this case, the algorithm to be used between them includes an encryption algorithm, a hash algorithm, a Hash-based Message Authentication Code (HMAC) algorithm, and a compression algorithm. After an algorithm to be used is selected, a symmetric key (second encryption key) to be used in the algorithm (e.g., Advanced Encryption Standard (AES), Triple Data Encryption Algorithm (3DES)) is generated and exchanged between them. The second encryption key is randomly regenerated and exchanged in a periodic manner.
  • The VPN connection unit 230 then encrypts the ID of the VPN server 140, the ID of the user device 110 and the second private key using the second encryption key as the symmetric key, and requests the VPN service apparatus 100 to authenticate the VPN connection unit 230. The VPN service apparatus 100 authenticates the VPN connection unit 230 using the second public key.
  • The VPN connection unit 230 registers the third public key in the VPN server 140, and then the VPN server 140 authenticates the VPN connection unit 230 using the third public key (S340). Specifically, when the VPN connection unit 230 requests access to the VPN server 140 according to a preset authentication protocol, an algorithm to be used between them is selected.
  • In this case, the algorithm to be used between them includes an encryption algorithm, a hash algorithm, an HMAC algorithm, and a compression algorithm. After an algorithm to be used is selected, a symmetric key (first encryption key) to be used in the algorithm (e.g., AES,3DES) is generated and exchanged between them. The first encryption key is randomly regenerated and exchanged in a periodic manner.
  • The VPN connection unit 230 then encrypts the ID of the VPN server 140, the ID of the user device 110, and the third private key using the first encryption key as the symmetric key, and requests the VPN server 140 to authenticate the VPN connection unit 230. The VPN server 140 authenticates the VPN connection unit 230 using the third public key.
  • The VPN connection unit 230 transmits and receives data to and from the VPN server 140 via a first VPN tunnel and a second VPN tunnel (S350). Through the second VPN tunnel, the data is transferred between the user device 110 and the VPN service apparatus 100. Through the first VPN tunnel, the data is transferred between the VPN service apparatus 100 and the VPN server 140.
  • The VPN connection unit 230 encodes the data to be transmitted to the VPN server 140 using the first encryption key, and decodes the data received from the VPN server 140 using the first encryption key, so that the VPN connection unit 230 may transmit and receive the data to and from the VPN server 140. Alternatively, the VPN connection unit 230 encodes the data to be transmitted to the VPN server 140 using the second encryption key, and decodes the data received from the VPN server 140 using the second encryption key, so that the VPN connection unit 230 may transmit and receive the data to and from the VPN server 140.
  • Furthermore, the VPN connection unit 230 encodes data to be transmitted to the VPN server 140 using the first encryption key and then re-encodes the data using the second encryption key. The VPN connection unit 230 decodes data received from the VPN server 140 using the second encryption key and then re-decodes the data using the first encryption key. It is therefore possible to improve the network security in the transmission and reception of data.
  • The VPN client program may be downloaded to and used in the user device 110 as an application from an operator side responsible for the VPN server 140. Alternatively, the VPN client program may be pre-loaded on the user device 110.
  • Again referring to FIG 1, the authentication server 120 performs an initial registration process for connecting the user device 110 to the VPN server 140.
  • The VPN server 140 requests the authentication server 120 to issue a license key. The authentication server 120, when receiving the request for issuing the license key from the VPN server 140, issues and transmits the license key to the VPN server 140. The authentication server 120 then stores the ID of the VPN server 140 to which the license key is issued in the authentication database 130. The authentication database 130 may include an ID of the VPN server 140, as well as other information.
  • The authentication server 120 requests the VPN server 140 to perform authentication using the license key. The VPN server 140 verifies the license key to authenticate the authentication server 120, and then generates a first public key and a first private key.
  • Furthermore, the authentication server 120 encodes license information using the license key. An example of the license information includes an ID of the VPN server 140, a license type, a license time-out period, the number of the user device 110, the number of the VPN server 140, and a major IP address and a port (e.g., port 3122). The license information encoded using the license key is transmitted from the authentication server 120 to the VPN server 140 via a general web server.
  • On the other hand, the authentication server 120 receives the authentication data and authentication request from the user device 110. The authentication data includes an ID of the VPN server 140 to be accessed, an ID of the user device 110, and an access password of the VPN server 140. The authentication server 120 stores the authentication data received from the user device 110 in the authentication database 130. The authentication server 120 also accesses the VPN server 140 using the ID of the VPN server 140 included in the authentication data, thereby requesting authentication of the user device 110.
  • When the user device 110 is authenticated by the VPN server 140, the authentication server 120 informs the user device 110 that the authentication is successful. The user device 110, after learning that the authentication is successful from the authentication server 120, generates a second public key, a second private key, a third public key, and a third private key, thereby preparing to transmit and/or receive data to and/or from the VPN server 140.
  • Again referring to FIG. 1, the VPN service apparatus 100 according to an exemplary embodiment may be located in a network operation center (NOC) or a demilitarized zone (DMZ), which is a neutral area between a private network and a public network.
  • FIG. 4 is a block diagram illustrating a configuration of an exemplary embodiment of a VPN service apparatus 100 according to an exemplary embodiment.
  • Referring to FIG. 4, the VPN service apparatus 100 according to an exemplary embodiment includes a storage unit 410, an authentication unit 420, a tunnel management unit 430, a security processing unit 440, a connection management unit 450, and a routing unit 460.
  • The storage unit 410 stores a first public key generated by the VPN server 140 and a second public key generated by the user device 110. As mentioned above, the VPN server 140 verifies the license key to authenticate the authentication server 120, and then generates the first public key and the first private key. The user device 110, when authenticated by the VPN server 140, generates a second public key and a second private key.
  • The authentication unit 420 authenticates the VPN server 140 using the first public key and authenticates the user device 110 using the second public key. In detail, when the VPN server 140 requests an access to the authentication unit 420 according to a preset authentication protocol, an algorithm to be used between them is selected.
  • In this case, the algorithm to be used between them includes an encryption algorithm, a hash algorithm, an HMAC algorithm, and a compression algorithm. After an algorithm to be used is selected, a symmetric key (third encryption key) to be used in the algorithm (e.g., AES,3DES) is generated and exchanged between them. The third encryption key is randomly regenerated and exchanged in a periodic manner.
  • The VPN server 140 then encodes the ID of the VPN server 140, the ID of the user device 110 and the first private key using the third encryption key as the symmetric key, and requests the authentication unit 420 to perform authentication. The authentication unit 420 authenticates the VPN server 140 using the first public key. That is, the authentication is implemented in an out-bound process by access to the VPN server 140.
  • In a similar way, when the user device 110 requests access to the authentication unit 420 according to a preset authentication protocol, an algorithm to be used between them is selected. In this case, the algorithm to be used between them includes an encryption algorithm, a hash algorithm, an HMAC algorithm, and a compression algorithm. After an algorithm to be used is selected, a symmetric key (second encryption key) to be used in the algorithm (e.g., AES,3DES) is generated and exchanged between them. The second encryption key is randomly regenerated and exchanged in a periodic manner.
  • The user device 110 then encodes the ID of the VPN server 140, the ID of the user device 110 and the second private key using the second encryption key as the symmetric key, and requests the authentication unit 420 to perform authentication. The authentication unit 420 authenticates the user device 110 using the second public key.
  • The tunnel management unit 430 generates a first VPN tunnel and a second VPN tunnel to relay transmission and/or reception of data between the user device 110 and the VPN server 140. The data is transferred through the first VPN tunnel to or from the VPN server 140 which is authenticated by the authentication unit 420. Through the second VPN tunnel, the data is transferred to or from the user device 110 which is authenticated by the authentication unit 420.
  • The data which is transmitted and/or received between the user device 110 and the VPN server 140 through the first and second VPN tunnels may be encoded by the first encryption key preset between the user device 110 and the VPN server 140.
  • The security processing unit 440, when receiving data from the user device 110, decodes the data using the second encryption key preset in conjunction with the user device 110, encodes it using the third encryption key preset in conjunction with the VPN server 140, and then transmits it to the VPN server 140. The security processing unit 440, when receiving data from the VPN server 140, decodes the data using the third encryption key, encodes it with the second encryption key, and then transmits it to the user device 110.
  • The security processing unit 440 may encode the data received from the user device 110 using the first encryption key, and then re-encode it with the second encryption key. Alternatively, the security processing unit may encode the data received from the VPN server 140 using the first encryption key, and then re-encode it with the third encryption key. That is, the security processing unit 440 can transmit and receive the re-encoded data.
  • The connection management unit 450, when receiving a request to access the VPN server 140 from the user device 110, determines that the VPN server 140 can be connected to the user device 110 on the basis of information in the authentication database 130, in which the information is associated and stored with information of at least one user device 110 allowed to access a plurality of VPN servers 140 respectively.
  • The information of the at least one user device 110 allowed to access the plurality of VPN servers 140 respectively may be pre-stored within the authentication database 130, or may be received from the VPN server 140 and stored in the authentication database 130.
  • Furthermore, when any information related to at least one user device 110 allowed to access to a plurality of VPN servers 140 is the same, the plurality of VPN servers 140 have the same ID and different sub-IDs of the same ID. In this case, the connection management unit 450, when receiving a request to access to the VPN server 140 from the user device 110, decides a VPN server 140 to be connected to the user device 110 such that the load resulting from access of the user device 110 may be equally distributed among the VPN servers 140 having the same ID. Table 1 shows a user device 110 that can access VPN servers 140 having the same VPN ID but different sub-IDs. Table 1
    VPN ID VPN sub-ID Accessible user devices
    A a, b 1, 2, 3, 4
  • When the VPN servers 140 have the same accessible user devices 110 (1, 2, 3, and 4), the VPN servers 140 have the same VPN ID (A)but different VPN sub-IDs(a and b). The sub-ID may be a port number of an actual VPN server 140.
  • When a user device 1 is connected to a VPN server having sub-ID a, the connection management unit 450 decides a VPN server having sub-ID b to be connected to a user device 2 upon receiving a request for access to the VPN server 140 from the user device 2.
  • The routing unit 460, when receiving a request for access to a VPN server 140 from the user device 110, establishes a connection of a routing path for the user device 110 to the VPN service apparatus 100 establishing a VPN tunnel in conjunction with the VPN server 140 accessible by the user device 110.
  • The plurality of VPN service apparatus 100 are interconnected in a broadcasting way. Therefore, the routing unit 460 can search for the VPN service apparatus 100 establishing a first VPN tunnel in conjunction with the VPN server 140 accessible by the user device 110.
  • Again referring to FIG 1, the VPN server 140 is responsible for managing access of the VPN service apparatus 100 and the user device 110 to a client system. The VPN server 140 is located within a private network separated by firewalls of the client system.
  • FIG. 5 is a block diagram illustrating a configuration of an exemplary embodiment of the VPN server 140.
  • Referring to FIG. 5, the VPN server 140 includes a control unit 510, a storage unit 520, and a VPN server management unit 530.
  • The VPN server management unit 530 executes a VPN program for allowing access of the VPN server 140 to the user device 110. An OS is pre-installed on control unit 510. The OS logically connects hardware components in the VPN server 140 to each other and controls them. Further, the OS links various application programs such as a VPN program to the hardware components in the VPN server 140 and controls them.
  • The storage unit 520 stores instructions and data in an electronic format. When the VPN server 140 is operated normally, the storage unit 220 commonly stores a major portion of the OS, all or part of application programs, the currently used data, and so on.
  • FIG. 6 is a block diagram illustrating a configuration of an exemplary embodiment of the VPN server management unit 530.
  • Referring to FIG. 6, the VPN server management unit 530 includes a VPN key management unit 610, a VPN authentication unit 620, a VPN data transceiver unit 630, and a VPN security processing unit 640.
  • The VPN key management unit 610 generates a first public key and a first private key, and registers the first public key in the VPN service apparatus 100. In the VPN key management unit 610, a third public key which is generated from the user device 110 is registered.
  • The VPN authentication unit 620 authenticates the user device 110 using the third public key. Specifically, when the user device 110 requests access using the third private key, the VPN authentication unit 620 authenticates the user device 110 using the third public key. In other words, when the user device 110 requests access to the VPN authentication unit 620 according to a preset authentication protocol, an algorithm to be used between them is selected.
  • In this case, the algorithm to be used between them includes an encryption algorithm, a hash algorithm, an HMAC algorithm, and a compression algorithm. After an algorithm to be used is selected, a symmetric key (first encryption key) to be used in the algorithm (e.g., AES,3DES) is generated and exchanged between them. The first encryption key is randomly regenerated and exchanged in a periodic manner.
  • The user device 110 then encodes the ID of the VPN server 140, the ID of the user device 110 and the third private key using the first encryption key as the symmetric key, and requests the VPN authentication unit 620 to perform authentication. The VPN authentication unit 620 authenticates the user device 110 using the third public key.
  • The VPN data transceiver unit 630 transmits and receives the data to and from the user device 110 via a first VPN tunnel and a second VPN tunnel. Through the first VPN tunnel, the data is transferred between the VPN server 140 and the VPN service apparatus 100 which authenticates the VPN server 140 using the first public key. Through the second VPN tunnel, the data is transferred between the VPN service apparatus 100 and the user device 110 which is authenticated by the authentication unit 620.
  • The data transmitted to the user device 110 via the VPN data transceiver unit 630 may be encoded using a first encryption key which is preset in conjunction with the user device 110. The data received from the user device 110 via the VPN data transceiver unit 630 may be decoded using the first encryption key.
  • The VPN security processing unit 640 encodes the data to be transmitted to the user device 110 using the first encryption key preset in conjunction with the user device 110, and then re-encodes it using the third encryption key preset in conjunction with the VPN service apparatus 100. The VPN security processing unit 640, when receiving data from the user device 110, decodes the data using the third encryption key and then re-decodes it using the first encryption key. It is therefore possible to improve the communication security by re-encoding data to be transmitted to the user device 110.
  • Again referring to FIG. 1, the authentication database 130 receives and stores various types of information from the authentication server 120 and the VPN server 140 across the network. As mentioned above, the authentication server 120 stores the authentication data received from the user device 110 in the authentication database 130.
  • The authentication data includes an ID of the VPN server 140, an ID of the user device 110, and an access password of the VPN server 140. The VPN server 140 can authenticate the user device 110 on the basis of authentication data stored in the authentication database 130. Further, the authentication server 120 stores the ID of the VPN server 140 issuing a license key in the authentication database 130.
  • The information of at least one user device 110 allowed to access a plurality of VPN servers 140 respectively is stored in the authentication database 130. Furthermore, the VPN server 140 stores the information on the VPN server 140 including the ID of the VPN server 140 in the authentication database 130.
  • Meanwhile, the authentication database 130 stores an ID and a sub-ID of the VPN server 140 as mentioned above, and information of the at least one user device 110 for which access is allowed. This information may be received from the VPN server 140 and stored, or may be pre-stored during construction of the authentication database 130.
  • FIG. 7 is a flowchart illustrating a procedure for establishing a first VPN tunnel between a VPN service apparatus 100 and a VPN server 140 according to an exemplary embodiment.
  • The VPN server 140 requests an authentication server 120 to issue a license key (S710). In response, the authentication server 120 issues the license key and transmits it to the VPN server 140. The authentication server 120 requests the VPN sever 140 to perform authentication using the issued license key (S720). The VPN server 140 authenticates the authentication server 120 using the license key and generates a first public key and a first private key (S730).
  • The VPN server 140 registers the generated first public key in the VPN service apparatus 100 (S740). The VPN server 140 then accesses the VPN service apparatus 100 and is authenticated using the first private key (S750). Specifically, the VPN server 140 encodes and transmits the first private key using a preset third encryption key. The VPN service apparatus 100 then authenticates the VPN server 140 using the registered first public key. When the authentication is successful, a first VPN tunnel is generated between the VPN service apparatus 100 and the VPN server 140. The data encoded using the third encryption key can be transferred through the first VPN tunnel.
  • FIG. 8 is a flowchart illustrating a procedure for establishing a second VPN tunnel between a VPN service apparatus 100 and a user device 110 according to an exemplary embodiment.
  • The user device 110 executes a VPN client program that can access a VPN server 140 (S810). When the VPN client program is executed, the user device 110 transmits authentication data and an authentication request to an authentication server 120 (S820). The authentication data may include an ID of the VPN server 140, an ID of the user device 110, and an access password of the VPN server 140, etc., as mentioned above.
  • The authentication server 120 stores the received authentication data in an authentication database 130, accesses the VPN server 140 using the ID of the VPN server 140 included in the authentication data, and requests authentication for the user device 110 (S830). The VPN server 140 authenticates the user device 110 on the basis of the authentication data stored in the authentication database 130 (S840).
  • The user device 110 then generates a second public key and a second private key (S850), and registers the second public key in the VPN service apparatus 100 (S860). The user device 110 encodes the second private key using a preset second encryption key and transmits it to the VPN service apparatus 100. The VPN service apparatus 100 authenticates the user device 110 using the registered second public key and generates a second VPN tunnel through which data is transmitted and received between the VPN service apparatus 100 and the user device 110. Through this tunnel, data encoded using the second encryption key may be transferred between the VPN service apparatus 100 and the user device 110.
  • Furthermore, the user device 110 generates a third public key and a third private key (S870), and registers the third public key in the VPN server 140 (S880). The third public key is registered in the VPN server 140 through a first VPN tunnel between the VPN service apparatus 100 and the VPN server 140. The user device 110 encodes the third private key using a preset first encryption key and transmits it to the VPN server 140. The VPN server 140 authenticates the user device 110 using the registered third public key.
  • Data encoded using the first encryption key can be transmitted and received through the second VPN tunnel between the VPN service apparatus 100 and the user device 110 which is authenticated using the third public key, and the first VPN tunnel between the VPN service apparatus 100 and the VPN server 140.
  • FIG. 9 is a diagram illustrating an exemplary embodiment in which a plurality of clients are managed by the VPN service apparatus 100 according to an exemplary embodiment.
  • The VPN service apparatus 100 performs customer-specific authentication processes and establishes a tunnel for transmitting and receiving data to provide an authenticated VPN path. That is to say, a user device of a customer 1 may access a VPN server of the customer 1 using the VPN path authenticated for the customer 1, but cannot use the VPN path authenticated for a customer 2.
  • In the VPN path authenticated for the customer 2, transmission or reception of data may be implemented using an encryption key between a user device of the customer 2 and a VPN server of the customer 2. Therefore, the user device of the customer 1 cannot access the VPN path authenticated for the customer 2, and the security for each customer is maintained.
  • When a system is established in this way, customers can economically introduce the VPN service apparatus 100. Also, customers can establish a communication network only by authentication of the VPN service apparatus 100 after introducing the VPN server 140.
  • FIG. 10 is a diagram illustrating an embodiment of connecting a head office with branch offices using a VPN service apparatus 100 according to an exemplary embodiment.
  • In related art art, in order to establish a communication network between a head office and branch offices, it is necessary to connect respective VPN servers 140. In this case, complicated network connections and firewall configurations are necessary. The method of connecting a head office with branch offices using the VPN service apparatus 100 according to an exemplary embodiment can be implemented when the VPN server in each branch office is only authenticated by the VPN service apparatus 100 in an out-bound way. In this way, the reliable connection between a head office and branch offices is enabled by the VPN service apparatus 100 located in the head office.
  • Furthermore, when there are a plurality of VPN service apparatus 100 to be connected, the connection conditions can be adjusted to minimize a load applied to the entire VPN service apparatus 100. To this end, the information of a user device 110 and a VPN server 140 to be connected may be preset and pre-stored in an authentication database 130 to minimize the load. Alternatively, entire connection conditions may be controlled by a system for managing the VPN service apparatus 100.
  • It will be understood that, although the terms "first," "second," etc. may be used herein to describe various elements, these elements should not be limited by these terms. These terms are only used to distinguish one element from another. For example, a "first public key" could be termed a "second public key" and, similarly, a "second public key" could be termed a "first public key," without departing from the scope. As used herein, the term "and/or" includes any and all combinations of one or more of the associated listed items.
  • The terminology used herein is for the purpose of describing particular embodiments only and is not intended to be limiting. As used herein, the singular forms "a," "an" and "the" are intended to include the plural forms as well, unless the context clearly indicates otherwise. It will be further understood that the terms "comprises," "comprising," "includes" and/or "including," when used herein, specify the presence of stated features, integers, steps, operations, elements, and/or components, but do not preclude the presence or addition of one or more other features, integers, steps, operations, elements, components, and/or groups thereof.
  • Many examples described herein can be machine or computer-implemented at least in part. Some examples can include a computer-readable recording medium or machine-readable recording medium encoded with instructions operable to configure an electronic device to perform methods as described in the above examples. An implementation of such methods can include code, such as microcode, assembly language code, a higher-level language code, or the like. Such code can include computer readable instructions for performing various methods. The code may form portions of computer program products. Further, the code can be tangibly stored on one or more volatile or nonvolatile tangible computer-readable recording media, such as during execution or at other times. Examples of these tangible computer-readable recording media can include, but are not limited to, hard disks, removable magnetic disks, removable optical discs (e.g., compact discs and digital video discs), magnetic cassettes, memory cards or sticks, compact disc read-only memories (CD-ROMs), random access memories (RAMs), read only memories (ROMs), carrier waves (e.g., transmission over the Internet), and the like.
  • An apparatus and method for providing a VPN service based on mutual authentication according to an exemplary embodiment provide a connection in which reliability and security are improved by means of mutual authentication between a client and a VPN server. Also, some embodiments provide an advantage that high scalability and good load balancing are achievable at a low cost by constructing a multi-tiered structure in which several servers are connected. This structure allows problems related to network compatibility and IP collision to be solved by a hosted VPN service of an application layer with no IP allocation.
  • Various modifications can be made to the above-described exemplary embodiments. Thus, it is intended that exemplary embodiments cover all such modifications provided they come within the scope of the appended claims and their equivalents.

Claims (15)

  1. A virtual private network (VPN) service apparatus which receives a first public key and a second public key, wherein the first public key is received from a VPN server and provides access to a user device to a private network, and the second public key is received from the user device, the apparatus, the apparatus comprising:
    a storage unit configured to store the first public key and the second public key;
    an authentication unit configured to authenticate the VPN server using the first public key and to authenticate the user device using the second public key; and
    a tunnel management unit configured to generate a first VPN tunnel and a second VPN tunnel which respectively relay data between the user device and the VPN server, wherein the first VPN tunnel is configured to relay the data between the VPN server and the VPN service apparatus based on the authentication of the VPN server by the authentication unit, and wherein the second VPN tunnel is configured to relay the data between the VPN service apparatus and the user device based on the authentication of the user device by the authentication unit.
  2. The VPN service apparatus of claim 1, wherein the data relayed between the user device and the VPN server through the first and second VPN tunnels is encoded by a first encryption key preset between the user device and the VPN server.
  3. The VPN service apparatus of claims 1 or 2, further comprising a security processing unit configured to:
    decode user device data, if the data is received from the user device, with a second encryption key preset in conjunction with the user device,
    encode first encoded data by encoding the decoded user device data with a third encryption key preset in conjunction with the VPN server, and transmit the first encoded data to the VPN server; and
    decode VPN server data, if the data is received from the VPN server, with the third encryption key, encode second encoded data by encoding the decoded VPN server data with the second encryption key, and transmit the second encoded data to the user device.
  4. The VPN service apparatus of claim 1, if a request to access the VPN server is received from the user device, the apparatus further comprises a connection management unit configured to determine whether to connect the VPN server to the user device based on information in an authentication database.
  5. The VPN service apparatus of claim 1, further comprises a connection management unit, wherein if a request to access the VPN server is received from the user device, and the VPN server is included among a plurality of VPN servers having a same identification (ID), the apparatus, the connection management unit is configured to determine whether to connect the VPN server to the user device based on whether a load resulting from access of the user device would be equally distributed among the plurality of VPN servers having the same ID.
  6. The VPN service apparatus of claim 1, further comprising a routing unit, wherein if a request to access the VPN server is received from the user device, the routing unit configured to establish a routing path for the user device to be connected to the VPN service apparatus generating the first VPN tunnel in conjunction with the VPN server accessible by the user device.
  7. The VPN service apparatus of claim 1, wherein the tunnel management unit receives a third public key through the second VPN tunnel from the user device and transmits the third public key through the first VPN tunnel to the VPN server.
  8. A virtual private network (VPN) service method for providing access of a user device to a private network through a VPN server, the method comprising:
    authenticating the VPN server with a first public key received from the VPN server;
    authenticating the user device with a second public key received from the user device; and
    generating a first VPN tunnel and a second VPN tunnel which respectively relay data between the VPN server and the user device,
    wherein the first VPN tunnel relays the data to and/or from the VPN server based on the authenticating of the VPN server, and
    wherein the second VPN tunnel relays the data to/from the user device based on the authenticating of the user device.
  9. The VPN service method of claim 8, wherein the data relayed between the user device and the VPN server through the first and second VPN tunnels is encoded by a first encryption key preset between the user device and the VPN server.
  10. The VPN service method of claims 8 or 9, further comprising:
    decoding user device data, if the data is received from the user device, with a second encryption key preset in conjunction with the user device;
    encoding first encoded data by encoding the decoded user device data with a third encryption key preset in conjunction with the VPN server;
    transmitting the first encoded data to the VPN server;
    decoding VPN server data, if the data is received from the VPN server, with the third encryption key, encode second encoded data by encoding the decoded VPN server data with the second encryption key; and
    transmitting the second encoded data to the user device.
  11. A non-transitory computer-readable recording medium recording a program thereon for executing a method, which is implemented in a user device and provides access to a private network through a virtual private network (VPN) server and a VPN service apparatus, the method comprising:
    requesting the VPN server to perform an initial authentication;
    if the initial authentication by the VPN server is successful, generating a first public key, a first private key, a second public key and a second private key;
    registering the first public key with the VPN service apparatus and obtaining a first authentication from the VPN service apparatus with the first public key;
    registering the second public key with the VPN server and obtaining a second authentication from the VPN server with the second public key; and
    transmitting and/or receiving data to/from the VPN server via the VPN service apparatus, wherein the data is transmitted and/or received through a VPN tunnel which is between the VPN service apparatus and the user device.
  12. A virtual private network (VPN) providing apparatus for providing access of a user device to a private network, the apparatus comprising:
    a VPN key management unit configured to generate a first public key and a first private key to register the first public key with a VPN service apparatus relaying transmission and/or reception of data to/from the user device, and to obtain a registration of a second public key generated by the user device;
    a VPN authentication unit configured to authenticate the user device with the second public key; and
    a VPN data transceiver unit configured to transmit and/or receive the data to/from the user device via the VPN service apparatus through a VPN tunnel, wherein the data is relayed between the VPN providing apparatus and the VPN service apparatus through the VPN tunnel if the VPN providing apparatus is authenticated with the first public key.
  13. The VPN providing apparatus of claim 12, further comprising a VPN security processing unit configured to encode the data to be transmitted to the user device with a first encryption key preset in conjunction with the user device and re-encode the data with a second encryption key preset in conjunction with the VPN service apparatus; and decode the data received from the user device with the second encryption key, and re-decode the data with the first encryption key.
  14. A virtual private network (VPN) providing method, which is implemented in a VPN providing apparatus and allows access of a user device to a private network via a VPN service apparatus relaying transmission and reception of data to and from the user device, the method comprising:
    generating a first public key and a first private key;
    registering the first public key with the VPN service apparatus;
    obtaining a registration of a second public key generated by the user device;
    authenticating the user device with the second public key; and
    transmitting and/or receiving data to/from the user device via the VPN service apparatus through a VPN tunnel, wherein the data is relayed between the VPN providing apparatus and the VPN service apparatus through the VPN tunnel if the VPN providing apparatus is authenticated with the first public key.
  15. The VPN providing method of claim 14, further comprising encoding the data to be transmitted to the user device with a first encryption key preset in conjunction with the user device and re-encoding the data with a second encryption key preset in conjunction with the VPN service apparatus, and decoding the data received from the user device with the second encryption key and re-decoding the data with the first encryption key.
EP12186304.7A 2011-09-28 2012-09-27 Apparatus and method for providing virtual private network service based on mutual authentication Withdrawn EP2575297A3 (en)

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
KR1020110098387A KR101303120B1 (en) 2011-09-28 2011-09-28 Apparatus and method for providing virtual private network service based on mutual authentication

Publications (2)

Publication Number Publication Date
EP2575297A2 true EP2575297A2 (en) 2013-04-03
EP2575297A3 EP2575297A3 (en) 2015-02-11

Family

ID=47191500

Family Applications (1)

Application Number Title Priority Date Filing Date
EP12186304.7A Withdrawn EP2575297A3 (en) 2011-09-28 2012-09-27 Apparatus and method for providing virtual private network service based on mutual authentication

Country Status (4)

Country Link
US (1) US8959614B2 (en)
EP (1) EP2575297A3 (en)
KR (1) KR101303120B1 (en)
CN (1) CN103036867B (en)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2016009106A1 (en) * 2014-07-18 2016-01-21 Nokia Technologies Oy Access to a node
WO2023175915A1 (en) * 2022-03-18 2023-09-21 日本電気株式会社 Session control device, session control system, session control method, and non-transitory computer-readable medium

Families Citing this family (21)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7127520B2 (en) 2002-06-28 2006-10-24 Streamserve Method and system for transforming input data streams
FI125972B (en) * 2012-01-09 2016-05-13 Tosibox Oy Equipment arrangement and method for creating a data transmission network for remote property management
JP5762991B2 (en) * 2012-02-03 2015-08-12 株式会社東芝 Communication device, server device, relay device, and program
KR101946874B1 (en) * 2012-09-03 2019-02-13 엘지이노텍 주식회사 System for certificating program
KR102108000B1 (en) * 2013-12-23 2020-05-28 삼성에스디에스 주식회사 System and method for controlling virtual private network
EP3200420B1 (en) * 2016-01-29 2021-03-03 Vodafone GmbH Providing communications security to an end-to-end communication connection
CN105656624A (en) * 2016-02-29 2016-06-08 浪潮(北京)电子信息产业有限公司 Client side, server and data transmission method and system
US10534843B2 (en) 2016-05-27 2020-01-14 Open Text Sa Ulc Document architecture with efficient storage
US10348698B2 (en) * 2016-09-15 2019-07-09 Nagravision S.A. Methods and systems for link-based enforcement of routing of communication sessions via authorized media relays
US10764263B2 (en) * 2016-11-28 2020-09-01 Ssh Communications Security Oyj Authentication of users in a computer network
EP3379794B1 (en) * 2017-03-20 2019-12-04 LINKK spolka z ograniczona odpowiedzialnoscia Method and system for realising encrypted connection with a local area network
JP6577546B2 (en) * 2017-09-25 2019-09-18 株式会社東芝 Remote access control system
CN109639553B (en) * 2018-12-25 2021-04-27 杭州迪普科技股份有限公司 IPSec (Internet protocol Security) negotiation method and device
CN111538781B (en) * 2020-04-13 2023-01-13 深圳创客区块链技术有限公司 Block chain cross-chain key secure access method, device and storage medium
CN113347071B (en) * 2021-05-20 2022-07-05 杭州快越科技有限公司 Method, device and equipment for establishing dynamic Virtual Private Network (VPN)
CN113691545B (en) * 2021-08-26 2023-03-24 中国电信股份有限公司 Routing control method and device, electronic equipment and computer readable medium
KR102444356B1 (en) * 2021-11-19 2022-09-16 주식회사 제론소프트엔 Security-enhanced intranet connecting method and system
CN114499954A (en) * 2021-12-21 2022-05-13 海光信息技术股份有限公司 Management device and method for sensitive data
US11888793B2 (en) 2022-02-22 2024-01-30 Open Text Holdings, Inc. Systems and methods for intelligent delivery of communications
US11552932B1 (en) * 2022-02-24 2023-01-10 Oversee, UAB Identifying virtual private network servers for user devices
CN116781428B (en) * 2023-08-24 2023-11-07 湖南马栏山视频先进技术研究院有限公司 Forwarding system based on VPN flow

Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
KR20060126952A (en) 2003-10-10 2006-12-11 사이트릭스 시스템스, 인크. A persistent and reliable session securely traversing network components using an encapsulating protocol

Family Cites Families (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
KR100471790B1 (en) * 2003-01-14 2005-03-10 어울림정보기술주식회사 Device for sending data using multi-tunneled virtual private network gateway
JP4173517B2 (en) * 2003-03-05 2008-10-29 インテリシンク コーポレイション Virtual private network between computing network and remote device
EP1643691B1 (en) * 2003-07-04 2007-12-05 Nippon Telegraph and Telephone Corporation Remote access vpn mediation method and mediation device
JP4492248B2 (en) * 2004-08-04 2010-06-30 富士ゼロックス株式会社 Network system, internal server, terminal device, program, and packet relay method
JP4707992B2 (en) * 2004-10-22 2011-06-22 富士通株式会社 Encrypted communication system
US9137043B2 (en) * 2006-06-27 2015-09-15 International Business Machines Corporation System, method and program for determining a network path by which to send a message
JP4802263B2 (en) * 2009-07-17 2011-10-26 株式会社日立製作所 Encrypted communication system and gateway device

Patent Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
KR20060126952A (en) 2003-10-10 2006-12-11 사이트릭스 시스템스, 인크. A persistent and reliable session securely traversing network components using an encapsulating protocol

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2016009106A1 (en) * 2014-07-18 2016-01-21 Nokia Technologies Oy Access to a node
WO2023175915A1 (en) * 2022-03-18 2023-09-21 日本電気株式会社 Session control device, session control system, session control method, and non-transitory computer-readable medium

Also Published As

Publication number Publication date
KR101303120B1 (en) 2013-09-09
EP2575297A3 (en) 2015-02-11
US20130081132A1 (en) 2013-03-28
CN103036867A (en) 2013-04-10
US8959614B2 (en) 2015-02-17
CN103036867B (en) 2016-04-13
KR20130034401A (en) 2013-04-05

Similar Documents

Publication Publication Date Title
US8959614B2 (en) Apparatus and method for providing virtual private network service based on mutual authentication
US11868449B2 (en) Dynamic monitoring and authorization of an optimization device
US10205611B2 (en) Middleware as a service
CN105940644B (en) Virtual Private Network (VPN) with distribution optimization while keeping end-to-end data safety services
US9226146B2 (en) Dynamic PSK for hotspots
EP2632108B1 (en) Method and system for secure communication
US9824193B2 (en) Method for using mobile devices with validated user network identity as physical identity proof
CN103503408B (en) system and method for providing access credentials
US10637830B2 (en) VPN access control system, operating method thereof, program, VPN router, and server
US20070226499A1 (en) Session key management for public wireless lan supporting multiple virtual operators
US20180375648A1 (en) Systems and methods for data encryption for cloud services
CN108881308A (en) A kind of user terminal and its authentication method, system, medium
US10362608B2 (en) Managing wireless client connections via near field communication
AU2020279735A1 (en) Computing system and related methods providing connection lease exchange and mutual trust protocol
US11588795B2 (en) Method and system for data tasking and receipt
CA2850114C (en) Techniques for accessing logical networks via a programmatic service call
JP6312325B2 (en) Client terminal authentication system and client terminal authentication method in wireless communication
EP4358473A1 (en) System and method for safely relaying and filtering kerberos authentication and authorization requests across network boundaries
JP2017163186A (en) End-to-end communication system, end-to-end communication method, and computer program

Legal Events

Date Code Title Description
PUAI Public reference made under article 153(3) epc to a published international application that has entered the european phase

Free format text: ORIGINAL CODE: 0009012

17P Request for examination filed

Effective date: 20120927

AK Designated contracting states

Kind code of ref document: A2

Designated state(s): AL AT BE BG CH CY CZ DE DK EE ES FI FR GB GR HR HU IE IS IT LI LT LU LV MC MK MT NL NO PL PT RO RS SE SI SK SM TR

AX Request for extension of the european patent

Extension state: BA ME

PUAL Search report despatched

Free format text: ORIGINAL CODE: 0009013

AK Designated contracting states

Kind code of ref document: A3

Designated state(s): AL AT BE BG CH CY CZ DE DK EE ES FI FR GB GR HR HU IE IS IT LI LT LU LV MC MK MT NL NO PL PT RO RS SE SI SK SM TR

AX Request for extension of the european patent

Extension state: BA ME

RIC1 Information provided on ipc code assigned before grant

Ipc: H04L 29/06 20060101ALI20150107BHEP

Ipc: H04L 12/46 20060101AFI20150107BHEP

17Q First examination report despatched

Effective date: 20170519

STAA Information on the status of an ep patent application or granted ep patent

Free format text: STATUS: THE APPLICATION IS DEEMED TO BE WITHDRAWN

18D Application deemed to be withdrawn

Effective date: 20180627